Call for wide-ranging GDPR investigation into online ads, which could kill today’s real-time bidding system

Privacy News Online recently wrote about how the widely-used real-time bidding (RTB) system for online ads causes personal data to be spread widely among potential advertisers. We noted that one key proposal of the ePrivacy regulation, currently working its way through the EU legislative process, is to make it easy for people to opt out of this kind online tracking. But some people are not waiting for the new law: instead, they hope to use the General Data Protection Regulation (GDPR), which came into force in May, to halt RTB in Europe. If they succeed, the impact is likely to be global.

A formal complaint has been submitted to the data protection authorities in the UK and in Ireland, asking them to investigate the use of real-time bidding systems by Google and other ad tech companies. The complainants are Dr Johnny Ryan of Brave, the Web browser company; Jim Killock, Executive Director of the Open Rights Group; and Michael Veale, a researcher at University College London. The complaint alerts European regulators to what it says is a massive and ongoing data breach that affects virtually every user on the Web.

The GDPR is a powerful weapon for data protection activists. It changes the privacy landscape dramatically, because of the potential fines involved. These may be up to 4% of an offending company’s global turnover. For Google, one of the leaders in the RTB business, that would be billions of dollars. This means a complaint to EU data protection authorities is not just some minor public relations annoyance for companies, but a very serious matter that could result in a major financial penalty. Importantly, it is one that can be awarded even against companies that are located outside the EU, such as Google.

The complaint could gain added force because of Article 62 of the GDPR, which encourages data protection authorities in different EU Member States to work together where relevant. Since RTB is a pan-European issue, up to 28 data protection authorities could choose to join in any investigation of the practice. The complainants spell out why they think RTB is problematic under the GDPR:

Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful.

The GDPR, Article 5, paragraph 1, point f, requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” If you can not protect data in this way, then the GDPR says you can not process the data.

The complaint also notes that Article 35 of the GDPR imposes another requirement on handling personal data when there is “a high risk to the rights and freedoms of natural persons”. Companies must “carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. There is no evidence any of the companies involved in RTB have done this.

If an investigation conducted by one or more national data protection authorities in the EU finds that the GDPR has indeed been breached by real-time bidding, the effects could be dramatic. As well as the threat of large fines for Google and other companies, a ruling that RTB is not compliant with the GDPR would cause serious upheavals in online advertising.

It’s not easy to see how the practice of RTB could be brought into compliance with EU law, since central to its operation is the ability to send personal data to large numbers of companies in fractions of a second. There seems little scope to ask users for specific, rather than general, consent every time that is done. Similarly, it will be hard to ensure that any data that is sent out to potential advertisers is then deleted after it used. Article 5(1)(e) of the GDPR requires that personal data gathered for a particular purpose shall not be kept for longer than is necessary for that purpose. When personal data is being transmitted to hundreds of companies, it will be impossible to guarantee they comply with this requirement.

It’s no coincidence that one of the parties bringing this formal complaint is the browser company Brave. Its business model is based on giving control of advertising to its users. For example, it enables them to make micropayments to favored sites, using Private Internet Access’s VPNs to ensure personal details are kept confidential. Brave would obviously be delighted if the current dominant advertising model were found to be noncompliant with the GDPR. But the fact that it stands to gain from a ruling that RTB is illegal under EU legislation does not undermine the force of its arguments.

While it is true that Brave would certainly benefit from such a decision by data protection authorities, so would everyone else in the EU. People’s personal data would not be sprayed across the Internet invisibly, on a massive scale. Equally, that data would not then be used to build up personal profiles for microtargeting purposes, which are not under people’s control – a practice that has already had serious, real-world consequences.

Moreover, the knock-on effects of a decision against RTB are likely to spread beyond the EU’s borders, just as has happened with the GDPR itself. Many companies might decide to switch back to earlier forms of online advertising that were based on general information about the visitors to a particular Web site, rather than on an obsessive surveillance of everything people do online. That would be a welcome development for online privacy, which makes this call for a formal investigation of RTB worth watching closely.

Glyn Moody is a freelance journalist who writes and speaks about privacy, surveillance, digital rights, open source, copyright, patents and general policy issues involving digital technology. He started covering the business use of the Internet in 1994, and wrote the first mainstream feature about Linux, which appeared in Wired in August 1997. His book, "Rebel Code," is the first and only detailed history of the rise of open source, while his subsequent work, "The Digital Code of Life," explores bioinformatics - the intersection of computing with genomics.